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1. Introductions and apologies 
i Elizabeth Denham advised that Simon Entwisle had sent 
his apologies. He was unable to attend what would have been 
his last Management Board meeting before his retirement. 
Elizabeth wanted to record her personal thanks to Simon for 
his support and to his wider commitment and work for the 
ICO over the last 13 years. This was echoed by other board 


members. 


1.2. Emma Bate was welcomed to her first official meeting in 
support of the Management Board. Amanda Williams was also 
welcomed as to the meeting as an observer. 


2. Declaration of interests 


2.1. There were no declarations of interest. 


3. Matters arising from the previous meeting 


3.1. The minutes had been agreed in correspondence. There 
were no suggested amendments. 
3.2. There were no outstanding actions. 


4. Commissioner’s introduction 


4.1. The Commissioner provided an update on the work of 
the ICO and issues affecting it. 
4.2. In general the focus of the office was very much on 


preparation for GDPR in May 2018 and the progress of the DP 
Bill through Parliament. 

4.3. International work was also a priority. The office had 
recently hosted an international conference in Manchester 
and the Commissioner had attending the ICDPCC in Hong 
Kong. 

4.4. In respect of GDPR guidance, the ICO was working 
towards a core of guidance which crossed all sectors and 
specific guidance for sectors which were a priority in terms of 
awareness, such as SMEs and charities. The need to wait for 
agreement on Article 29 guidance introduced some delay but 
consistency was required. 

4.5. Staff recruitment and retention remained an issue and 
steps were being taken to mitigate the risks in this area. Paul 
Arnold expected to bring an options paper to the February 
Management Board. 


5. Discussion items 


Data Ethics and Data Protection 

5-1, Steve Wood introduced a briefing paper on data ethics 
and on proposals for taking work this area forward which the 
ICO was inputting into. 


Regulatory Action Policy 

Buz, James Dipple-Johnstone presented a draft Regulatory 
Action Policy. The document aimed to combine five current 
policies across data protection and freedom of information 
which explained what the ICO does; not just in terms of 
enforcement but covering casework and intelligence work. 
This would simplify the ICO messages in this area and update 
ICO work to cover GDPR and other changes. 

5:3 The Board supported the aims of the change and the 
approach being taken. 


Resource and Infrastructure Strategic Plan 

5.4. Paul Arnold introduced a draft Resource and 
Infrastructure Plan which pulled together the different on- 
going work in this area into one document. It had been to the 


Senior Leadership Team. The document was aimed at staff 
and key stakeholders. 

5:5.: The plan was supported by the Board which provided 
minor comments of detail. Paul Arnold was to amend the plan 
as per the discussion and to publish it. 


ISO 27001 

5.6. Paul Arnold advised that the ICO wished to seek ISO 
27001 accreditation by quarter two next year. The matter 
had been brought to Audit Committee and Ailsa Beaton, chair 
of the Audit Committee, explained the Committee’s support 
for the decision. 

5.7. The Board confirmed that the ICO should go ahead and 
seek ISO 27001 accreditation. 


. Board performance review process 

6.1. A process for assessing the performance of Board 
members had been presented at the last Board meeting. 
Following discussion at that meeting the process had been 
amended further and agreed by Non-executive Directors in 
correspondence. 

6.2. The Board agreed the revised process. 


. Risk and opportunity management 

Fel The Corporate Risk and Opportunity register was 
reviewed. 

7-2 The increasing difficulty in recruiting staff externally was 
noted. Mitigation included the possible outsourcing of some 
work. 

7.3. The Board also considered that the risk status related to 
the ICO’s new funding model should to be raised due to 
timing issues. 


. Performance against the Information Rights Strategic Plan 

8.1. The report on performance against the Information 
Rights Strategic Plan was presented for information. It was 
noted that the report was evolving and comments were 
welcomed. 

8.2. It was thought, to enable the detail which followed to be 
put into context, that the report needed an introduction 
giving a view on overall performance before providing the 
detail, which could give a misleading impression as to what 
the ICO was actually achieving. 

8.3. Elizabeth Denham confirmed that her view was that, 
given the amount of change the ICO was preparing for, ICO 
performance was exceptional. 


9. Management accounts 
9.1. The quarterly finance report was presented for 
information. The difficulties in estimating future income and 
expenditure were noted. 


10. Supporting information 

10.1. This agenda item was an opportunity for the Board to 
discuss matters raised in supporting information. 

10.2. In respect of the DCEO Directorate report, the Board 
asked for information in future reports on the seriousness of 
ICO information security breaches concerning personal data. 
The Board also asked for issues in the report shown as amber 
or red to be explained. 

10.3. Noting the Operations Directorate performance report, 
the Board commented that maintaining this excellent 
performance was a significant achievement given the 
unprecedented change the organisation was undertaking. 

10.4. It was confirmed by Elizabeth Denham that Corporate 
Governance and Organisational Development would bring a 
paper to the next Management Board on how the Board 
would cover its responsibilities it had taken on from the 
Remuneration Committee. 


